Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
41 articles found · #cnpd
GDPR rights at work: only the individual has standing (Cass. crim., Jan 13, 2026)
France’s Supreme Court held that a company cannot invoke employees’ GDPR rights to challenge a seizure: only the data subjects themselves have standing. A key takeaway for DSAR and DPO response workflows.
Workplace video surveillance: CNIL fine of 2 April 2026
On 02/04/2026, the CNIL imposed a €7,500 fine for CCTV non-compliance. In Luxembourg, the CNPD likewise requires proportionality, frequent DPIAs and two-layer information.
GDPR: first access request may be refused for abuse (CJEU 19/03/2026)
The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.
AEPD vs AENA: €10.04M for a deficient DPIA in biometrics
On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant DPIA related to biometric boarding. Key signal: a DPIA must now be complete, evidence-based and traceable.
Legitimate interest vs consent: CNPD/EDPB tighten, ICO remains looser
Luxembourg’s Administrative Court backed the CNPD in the Amazon case: legitimate interest was not justified. While the EDPB tightens Article 6(1)(f), the UK ICO still calls it the most flexible basis.
Recording meetings and calls: €250,000 fine — CNPD framework 2026
On 16/10/2025, the CNIL fined a call center €250,000 for poorly governed recordings. Since April 2026, the CNPD has issued a dedicated framework for meeting recordings: legal basis, transparency, retention, security, and DPIA.
Mandatory DPIA: CNPD vs CNIL — geolocation, two thresholds
In Luxembourg, the CNPD requires a DPIA for any systematic tracking of location. In France, the CNIL only mandates it for large-scale processing of location data.
GDPR Article 6: the Intesa/Isybank lesson on legitimate interest vs consent
Italy’s DPA fined Intesa €17.6M for transferring ~2.4M customers to Isybank without a valid legal basis. Key takeaway: legitimate interest cannot replace valid consent or strict contractual necessity.
CJEU SCHUFA vs ICO: Is GDPR Article 22 a ban or a right?
The CJEU classified credit scoring as automated individual decision-making under GDPR Article 22. The EDPB reads it as a general ban with exceptions, while the ICO frames it as a right to be activated.
Information duty (Art. 14 GDPR): the legal exception clarified in 2026
The French Court of Cassation (Jan 29, 2026) confirms the Art. 14(5)(c) GDPR exception where a law mandates disclosure and provides appropriate safeguards. Useful for tax/social flows and certain B2G sharing in Luxembourg.
GDPR Article 28: Belgian DPA fines SWDE — your DPA must be rock-solid
On 12 May 2026, the Belgian DPA fined SWDE €86,000, including €1,000 for lacking an Article 28-compliant DPA. Key takeaway: without a complete DPA, any outsourced processing leaves the controller non-compliant.
CNPD — Employee vehicle geolocation: 2 months by default, DPIA often required
CNPD clarifies: retention “2 months by default,” no tracking outside working hours if private use is allowed, and DPIA when there is regular/systematic monitoring. Measures to implement immediately.